From 57a0f81040e78e7c6c38c2f3359ee44957252eb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 18 Aug 2023 05:54:05 +0200 Subject: [PATCH] feat: use k8s 1.28 libs (#8037) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: use k8s 1.28 libs Signed-off-by: Charles-Edouard Brétéché * fix validating admission policies Signed-off-by: Mariam Fahmy * fix a typo Signed-off-by: Mariam Fahmy --------- Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Mariam Fahmy Co-authored-by: Mariam Fahmy --- api/kyverno/v1/zz_generated.deepcopy.go | 2 +- charts/kyverno/templates/crds/crds.yaml | 844 +++++++++++++++++- config/crds/kyverno.io_clusterpolicies.yaml | 422 ++++++++- config/crds/kyverno.io_policies.yaml | 422 ++++++++- config/install-latest-testing.yaml | 844 +++++++++++++++++- go.mod | 38 +- go.sum | 84 +- .../discovery/resource.generated.go | 8 +- .../apiserver/discovery/resource.generated.go | 8 +- pkg/clients/dclient/discovery.go | 2 +- pkg/clients/dclient/fake.go | 2 +- .../client.generated.go | 22 + .../resource.generated.go | 446 +++++++++ .../resource.generated.go | 374 ++++++++ .../kube/authenticationv1/client.generated.go | 11 + .../selfsubjectreviews/resource.generated.go | 83 ++ .../kube/discovery/resource.generated.go | 8 +- .../networkpolicies/resource.generated.go | 72 -- .../networkpolicies/resource.generated.go | 72 -- .../kyverno/discovery/resource.generated.go | 8 +- pkg/controllers/openapi/manager.go | 2 +- .../handlers/validation/validate_cel.go | 23 +- pkg/openapi/manager.go | 4 +- pkg/openapi/utils.go | 4 +- .../validatingadmissionpolicy.go | 40 +- 25 files changed, 3456 insertions(+), 389 deletions(-) create mode 100644 pkg/clients/kube/admissionregistrationv1beta1/validatingadmissionpolicies/resource.generated.go create mode 100644 pkg/clients/kube/admissionregistrationv1beta1/validatingadmissionpolicybindings/resource.generated.go create mode 100644 pkg/clients/kube/authenticationv1/selfsubjectreviews/resource.generated.go diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index 56b2d605cd..00f6d2b168 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -231,7 +231,7 @@ func (in *CEL) DeepCopyInto(out *CEL) { if in.ParamRef != nil { in, out := &in.ParamRef, &out.ParamRef *out = new(v1alpha1.ParamRef) - **out = **in + (*in).DeepCopyInto(*out) } if in.AuditAnnotations != nil { in, out := &in.AuditAnnotations, &out.AuditAnnotations diff --git a/charts/kyverno/templates/crds/crds.yaml b/charts/kyverno/templates/crds/crds.yaml index a5aaf20f7a..41ee260efe 100644 --- a/charts/kyverno/templates/crds/crds.yaml +++ b/charts/kyverno/templates/crds/crds.yaml @@ -6301,7 +6301,13 @@ spec: of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'authorizer' + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz @@ -6415,12 +6421,98 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -10508,10 +10600,17 @@ spec: - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - - 'authorizer' - A CEL Authorizer. May be - used to perform authorization checks for - the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. \n The `apiVersion`, @@ -10630,12 +10729,102 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -14454,7 +14643,13 @@ spec: of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'authorizer' + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz @@ -14568,12 +14763,98 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -18715,10 +18996,17 @@ spec: - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - - 'authorizer' - A CEL Authorizer. May be - used to perform authorization checks for - the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. \n The `apiVersion`, @@ -18837,12 +19125,102 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -23026,7 +23404,13 @@ spec: of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'authorizer' + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz @@ -23140,12 +23524,98 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -27234,10 +27704,17 @@ spec: - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - - 'authorizer' - A CEL Authorizer. May be - used to perform authorization checks for - the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. \n The `apiVersion`, @@ -27356,12 +27833,102 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -31181,7 +31748,13 @@ spec: of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'authorizer' + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz @@ -31295,12 +31868,98 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -35442,10 +36101,17 @@ spec: - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - - 'authorizer' - A CEL Authorizer. May be - used to perform authorization checks for - the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. \n The `apiVersion`, @@ -35564,12 +36230,102 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index 62fdb6cb25..487fb97907 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -2484,7 +2484,13 @@ spec: of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'authorizer' + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz @@ -2598,12 +2604,98 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -6691,10 +6783,17 @@ spec: - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - - 'authorizer' - A CEL Authorizer. May be - used to perform authorization checks for - the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. \n The `apiVersion`, @@ -6813,12 +6912,102 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -10637,7 +10826,13 @@ spec: of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'authorizer' + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz @@ -10751,12 +10946,98 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -14898,10 +15179,17 @@ spec: - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - - 'authorizer' - A CEL Authorizer. May be - used to perform authorization checks for - the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. \n The `apiVersion`, @@ -15020,12 +15308,102 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index 17324b7a8f..97120d76b2 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -2485,7 +2485,13 @@ spec: of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'authorizer' + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz @@ -2599,12 +2605,98 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -6693,10 +6785,17 @@ spec: - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - - 'authorizer' - A CEL Authorizer. May be - used to perform authorization checks for - the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. \n The `apiVersion`, @@ -6815,12 +6914,102 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -10640,7 +10829,13 @@ spec: of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'authorizer' + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz @@ -10754,12 +10949,98 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -14901,10 +15182,17 @@ spec: - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - - 'authorizer' - A CEL Authorizer. May be - used to perform authorization checks for - the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. \n The `apiVersion`, @@ -15023,12 +15311,102 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 28bf33a224..c5457aa036 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -6504,7 +6504,13 @@ spec: of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'authorizer' + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz @@ -6618,12 +6624,98 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -10711,10 +10803,17 @@ spec: - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - - 'authorizer' - A CEL Authorizer. May be - used to perform authorization checks for - the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. \n The `apiVersion`, @@ -10833,12 +10932,102 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -14657,7 +14846,13 @@ spec: of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'authorizer' + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz @@ -14771,12 +14966,98 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -18918,10 +19199,17 @@ spec: - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - - 'authorizer' - A CEL Authorizer. May be - used to perform authorization checks for - the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. \n The `apiVersion`, @@ -19040,12 +19328,102 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -23229,7 +23607,13 @@ spec: of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'authorizer' + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz @@ -23343,12 +23727,98 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -27437,10 +27907,17 @@ spec: - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - - 'authorizer' - A CEL Authorizer. May be - used to perform authorization checks for - the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. \n The `apiVersion`, @@ -27559,12 +28036,102 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -31384,7 +31951,13 @@ spec: of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'authorizer' + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz @@ -31498,12 +32071,98 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object @@ -35645,10 +36304,17 @@ spec: - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - - 'authorizer' - A CEL Authorizer. May be - used to perform authorization checks for - the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. \n The `apiVersion`, @@ -35767,12 +36433,102 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: Name of the resource being referenced. + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." type: string namespace: - description: Namespace of the referenced resource. - Should be empty for the cluster-scoped resources + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic type: object diff --git a/go.mod b/go.mod index 22d90e3523..472aebc0a3 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( github.com/go-git/go-git/v5 v5.8.1 github.com/go-logr/logr v1.2.4 github.com/go-logr/zapr v1.2.4 - github.com/google/gnostic v0.6.9 + github.com/google/gnostic-models v0.6.8 github.com/google/go-containerregistry v0.16.1 github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230802205906-a54d64203cff github.com/in-toto/in-toto-golang v0.9.0 @@ -73,20 +73,20 @@ require ( gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 gotest.tools v2.2.0+incompatible - k8s.io/api v0.27.4 - k8s.io/apiextensions-apiserver v0.27.4 - k8s.io/apimachinery v0.27.4 - k8s.io/apiserver v0.27.4 - k8s.io/cli-runtime v0.27.4 - k8s.io/client-go v0.27.4 + k8s.io/api v0.28.0 + k8s.io/apiextensions-apiserver v0.28.0 + k8s.io/apimachinery v0.28.0 + k8s.io/apiserver v0.28.0 + k8s.io/cli-runtime v0.28.0 + k8s.io/client-go v0.28.0 k8s.io/klog/v2 v2.100.1 - k8s.io/kube-aggregator v0.27.4 - k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5 - k8s.io/pod-security-admission v0.27.4 - k8s.io/utils v0.0.0-20230505201702-9f6742963106 + k8s.io/kube-aggregator v0.28.0 + k8s.io/kube-openapi v0.0.0-20230811205723-7ac0aad8c58d + k8s.io/pod-security-admission v0.28.0 + k8s.io/utils v0.0.0-20230726121419-3b25d923346b sigs.k8s.io/controller-runtime v0.15.1 - sigs.k8s.io/kustomize/api v0.13.4 - sigs.k8s.io/kustomize/kyaml v0.14.2 + sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 + sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 sigs.k8s.io/release-utils v0.7.4 sigs.k8s.io/structured-merge-diff/v4 v4.3.0 sigs.k8s.io/yaml v1.3.0 @@ -94,8 +94,7 @@ require ( require ( cloud.google.com/go/compute v1.20.1 // indirect - github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect - github.com/google/cel-go v0.12.6 // indirect + github.com/google/cel-go v0.16.0 // indirect github.com/stoewer/go-strcase v1.2.0 // indirect ) @@ -142,6 +141,7 @@ require ( github.com/alibabacloud-go/tea-utils v1.4.5 // indirect github.com/alibabacloud-go/tea-xml v1.1.3 // indirect github.com/aliyun/credentials-go v1.2.7 // indirect + github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect github.com/aws/aws-sdk-go-v2 v1.20.0 // indirect github.com/aws/aws-sdk-go-v2/config v1.18.32 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.13.31 // indirect @@ -288,7 +288,7 @@ require ( github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_model v0.4.0 // indirect - github.com/prometheus/common v0.42.0 // indirect + github.com/prometheus/common v0.44.0 // indirect github.com/prometheus/procfs v0.10.1 // indirect github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 // indirect github.com/r3labs/diff v1.1.0 // indirect @@ -336,7 +336,7 @@ require ( go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.39.0 // indirect go.opentelemetry.io/proto/otlp v0.19.0 // indirect - go.starlark.net v0.0.0-20230302034142-4b1e35fe2254 // indirect + go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect go.step.sm/crypto v0.32.2 // indirect golang.org/x/mod v0.12.0 // indirect golang.org/x/net v0.14.0 // indirect @@ -357,8 +357,8 @@ require ( gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect - k8s.io/component-base v0.27.4 // indirect - k8s.io/kubectl v0.26.3 // indirect + k8s.io/component-base v0.28.0 // indirect + k8s.io/kubectl v0.28.0 // indirect oras.land/oras-go/v2 v2.2.1 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect ) diff --git a/go.sum b/go.sum index 6bf81c097c..43492a0741 100644 --- a/go.sum +++ b/go.sum @@ -206,8 +206,8 @@ github.com/andybalholm/brotli v1.0.0/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= -github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 h1:yL7+Jz0jTC6yykIK/Wh74gnTJnrGr5AyrNMXuA0gves= -github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18= +github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= github.com/aokoli/goutils v1.0.1/go.mod h1:SijmP0QR8LtwsmDs8Yii5Z/S4trXFGFC2oO5g9DP+DQ= github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= @@ -285,7 +285,6 @@ github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnweb github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc= -github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= github.com/buildkite/agent/v3 v3.49.0 h1:FSmRQz8YFhaCXg4MfE7JucPcY7mQ/HWM55ir1j3E9qM= github.com/buildkite/agent/v3 v3.49.0/go.mod h1:iasSyh3KPjOPCnyvnZB1trkkX7jrdL8PnLBgjdVJxgU= github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= @@ -440,7 +439,6 @@ github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBD github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94= github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= @@ -678,15 +676,15 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/cel-go v0.12.6 h1:kjeKudqV0OygrAqA9fX6J55S8gj+Jre2tckIm5RoG4M= -github.com/google/cel-go v0.12.6/go.mod h1:Jk7ljRzLBhkmiAwBoUxB1sZSCVBAzkqPF25olK/iRDw= +github.com/google/cel-go v0.16.0 h1:DG9YQ8nFCFXAs/FDDwBxmL1tpKNrdlGUM9U3537bX/Y= +github.com/google/cel-go v0.16.0/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= github.com/google/certificate-transparency-go v1.1.1/go.mod h1:FDKqPvSXawb2ecErVRrD+nfy23RCzyl7eqVCEmlT1Zs= github.com/google/certificate-transparency-go v1.1.6 h1:SW5K3sr7ptST/pIvNkSVWMiJqemRmkjJPPT0jzXdOOY= github.com/google/certificate-transparency-go v1.1.6/go.mod h1:0OJjOsOk+wj6aYQgP7FU0ioQ0AJUmnWPFMqTjQeazPQ= github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= -github.com/google/gnostic v0.6.9 h1:ZK/5VhkoX835RikCHpSUJV9a+S3e1zLh59YnyWeBW+0= -github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -1216,8 +1214,8 @@ github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= -github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= +github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= +github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -1262,7 +1260,7 @@ github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -1460,12 +1458,10 @@ github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+ github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g= github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM= github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8= -github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= -github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= @@ -1546,8 +1542,8 @@ go.opentelemetry.io/otel/trace v1.16.0/go.mod h1:Yt9vYq1SdNz3xdjZZK7wcXv1qv2pwLk go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v0.19.0 h1:IVN6GR+mhC4s5yfcTbmzHYODqvWAp3ZedA2SJPI1Nnw= go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= -go.starlark.net v0.0.0-20230302034142-4b1e35fe2254 h1:Ss6D3hLXTM0KobyBYEAygXzFfGcjnmfEJOBgSbemCtg= -go.starlark.net v0.0.0-20230302034142-4b1e35fe2254/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= +go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= +go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= go.step.sm/crypto v0.32.2 h1:EhJpFRNgU3RaNEO3WZ62Kn2gF9NWNglNG4DvSPeuiTs= go.step.sm/crypto v0.32.2/go.mod h1:JwarCq+Sn6N8IbRSKfSJfjUNKfO8c4N1mcNxYXuxXzc= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= @@ -1706,7 +1702,6 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= @@ -2068,7 +2063,6 @@ google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 h1:Au6te5hbKUV8pIYWHqOUZ1pva5qK/rwbIhoXEUB9Lu8= google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y= google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 h1:XVeBY8d/FaK4848myy41HBqnDwvxeV3zMZhwN1TvAMU= @@ -2182,32 +2176,32 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 honnef.co/go/tools v0.1.4/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8= -k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs= -k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y= +k8s.io/api v0.28.0 h1:3j3VPWmN9tTDI68NETBWlDiA9qOiGJ7sdKeufehBYsM= +k8s.io/api v0.28.0/go.mod h1:0l8NZJzB0i/etuWnIXcwfIv+xnDOhL3lLW919AWYDuY= k8s.io/apiextensions-apiserver v0.20.1/go.mod h1:ntnrZV+6a3dB504qwC5PN/Yg9PBiDNt1EVqbW2kORVk= k8s.io/apiextensions-apiserver v0.20.2/go.mod h1:F6TXp389Xntt+LUq3vw6HFOLttPa0V8821ogLGwb6Zs= -k8s.io/apiextensions-apiserver v0.27.4 h1:ie1yZG4nY/wvFMIR2hXBeSVq+HfNzib60FjnBYtPGSs= -k8s.io/apiextensions-apiserver v0.27.4/go.mod h1:KHZaDr5H9IbGEnSskEUp/DsdXe1hMQ7uzpQcYUFt2bM= +k8s.io/apiextensions-apiserver v0.28.0 h1:CszgmBL8CizEnj4sj7/PtLGey6Na3YgWyGCPONv7E9E= +k8s.io/apiextensions-apiserver v0.28.0/go.mod h1:uRdYiwIuu0SyqJKriKmqEN2jThIJPhVmOWETm8ud1VE= k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= -k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs= -k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= +k8s.io/apimachinery v0.28.0 h1:ScHS2AG16UlYWk63r46oU3D5y54T53cVI5mMJwwqFNA= +k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw= k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.2/go.mod h1:2nKd93WyMhZx4Hp3RfgH2K5PhwyTrprrkWYnI7id7jA= -k8s.io/apiserver v0.27.4 h1:ncZ0MBR9yQ/Gf34rtu1EK+HqT8In1YpfAUINu/Akvho= -k8s.io/apiserver v0.27.4/go.mod h1:GDEFRfFZ4/l+pAvwYRnoSfz0K4j3TWiN4WsG2KnRteE= -k8s.io/cli-runtime v0.27.4 h1:Zb0eci+58eHZNnoHhjRFc7W88s8dlG12VtIl3Nv2Hto= -k8s.io/cli-runtime v0.27.4/go.mod h1:k9Z1xiZq2xNplQmehpDquLgc+rE+pubpO1cK4al4Mlw= +k8s.io/apiserver v0.28.0 h1:wVh7bK6Xj7hq+5ntInysTeQRAOqqFoKGUOW2yj8DXrY= +k8s.io/apiserver v0.28.0/go.mod h1:MvLmtxhQ0Tb1SZk4hfJBjs8iqr5nhYeaFSaoEcz7Lk4= +k8s.io/cli-runtime v0.28.0 h1:Tcz1nnccXZDNIzoH6EwjCs+7ezkUGhorzCweEvlVOFg= +k8s.io/cli-runtime v0.28.0/go.mod h1:U+ySmOKBm/JUCmebhmecXeTwNN1RzI7DW4+OM8Oryas= k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE= -k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk= -k8s.io/client-go v0.27.4/go.mod h1:ragcly7lUlN0SRPk5/ZkGnDjPknzb37TICq07WhI6Xc= +k8s.io/client-go v0.28.0 h1:ebcPRDZsCjpj62+cMk1eGNX1QkMdRmQ6lmz5BLoFWeM= +k8s.io/client-go v0.28.0/go.mod h1:0Asy9Xt3U98RypWJmU1ZrRAGKhP6NqDPmptlAzK2kMc= k8s.io/code-generator v0.20.1/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg= k8s.io/code-generator v0.20.2/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg= k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= k8s.io/component-base v0.20.2/go.mod h1:pzFtCiwe/ASD0iV7ySMu8SYVJjCapNM9bjvk7ptpKh0= -k8s.io/component-base v0.27.4 h1:Wqc0jMKEDGjKXdae8hBXeskRP//vu1m6ypC+gwErj4c= -k8s.io/component-base v0.27.4/go.mod h1:hoiEETnLc0ioLv6WPeDt8vD34DDeB35MfQnxCARq3kY= +k8s.io/component-base v0.28.0 h1:HQKy1enJrOeJlTlN4a6dU09wtmXaUvThC0irImfqyxI= +k8s.io/component-base v0.28.0/go.mod h1:Yyf3+ZypLfMydVzuLBqJ5V7Kx6WwDr/5cN+dFjw1FNk= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= @@ -2216,20 +2210,20 @@ k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-aggregator v0.27.4 h1:WdK9iiBr32G8bWfpUEFVQl70RZO2dU19ZAktUXL5JFc= -k8s.io/kube-aggregator v0.27.4/go.mod h1:+eG83gkAyh0uilQEAOgheeQW4hr+PkyV+5O1nLGsjlM= +k8s.io/kube-aggregator v0.28.0 h1:8uH1SoRLlDdhdaW64eAK1BDWUXr2jLtVhiShysTzcok= +k8s.io/kube-aggregator v0.28.0/go.mod h1:wD7UarSU4HRyeDUIZLEHpvXNqL613w59yaM7ctjYapA= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE= -k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5 h1:azYPdzztXxPSa8wb+hksEKayiz0o+PPisO/d+QhWnoo= -k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5/go.mod h1:kzo02I3kQ4BTtEfVLaPbjvCkX97YqGve33wzlb3fofQ= -k8s.io/kubectl v0.26.3 h1:bZ5SgFyeEXw6XTc1Qji0iNdtqAC76lmeIIQULg2wNXM= -k8s.io/kubectl v0.26.3/go.mod h1:02+gv7Qn4dupzN3fi/9OvqqdW+uG/4Zi56vc4Zmsp1g= -k8s.io/pod-security-admission v0.27.4 h1:AA32ID+ECNJoUU8yuzLt4WzKPDZg7zMmP2cZ9rVsFyE= -k8s.io/pod-security-admission v0.27.4/go.mod h1:GOcnrXk8TT5cPhtCxdlkOAvBnX3QmZiMHqPw9PbZhPs= +k8s.io/kube-openapi v0.0.0-20230811205723-7ac0aad8c58d h1:lGN9colvFFZIY0Guxkzdd73CoDXHIbhlQkfi7n/26Ak= +k8s.io/kube-openapi v0.0.0-20230811205723-7ac0aad8c58d/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= +k8s.io/kubectl v0.28.0 h1:qhfju0OaU+JGeBlToPeeIg2UJUWP++QwTkpio6nlPKg= +k8s.io/kubectl v0.28.0/go.mod h1:1We+E5nSX3/TVoSQ6y5Bzld5OhTBHZHlKEYl7g/NaTk= +k8s.io/pod-security-admission v0.28.0 h1:Vz8XTjMAKHQFZv9Q4GdmO59CUtelkPPDRJTy/WTTc3g= +k8s.io/pod-security-admission v0.28.0/go.mod h1:hABVUcP7SRALDvESOK+RYIAWc9uZ5I1eSdcUwsOYTU8= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210111153108-fddb29f9d009/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20230505201702-9f6742963106 h1:EObNQ3TW2D+WptiYXlApGNLVy0zm/JIBVY9i+M4wpAU= -k8s.io/utils v0.0.0-20230505201702-9f6742963106/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48= mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc= mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4= @@ -2247,10 +2241,10 @@ sigs.k8s.io/controller-runtime v0.15.1 h1:9UvgKD4ZJGcj24vefUFgZFP3xej/3igL9BsOUT sigs.k8s.io/controller-runtime v0.15.1/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/api v0.13.4 h1:E38Hfx0G9R9v7vRgKshviPotJQETG0S2gD3JdHLCAsI= -sigs.k8s.io/kustomize/api v0.13.4/go.mod h1:Bkaavz5RKK6ZzP0zgPrB7QbpbBJKiHuD3BB0KujY7Ls= -sigs.k8s.io/kustomize/kyaml v0.14.2 h1:9WSwztbzwGszG1bZTziQUmVMrJccnyrLb5ZMKpJGvXw= -sigs.k8s.io/kustomize/kyaml v0.14.2/go.mod h1:AN1/IpawKilWD7V+YvQwRGUvuUOOWpjsHu6uHwonSF4= +sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0= +sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY= +sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 h1:W6cLQc5pnqM7vh3b7HvGNfXrJ/xL6BDMS0v1V/HHg5U= +sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3/go.mod h1:JWP1Fj0VWGHyw3YUPjXSQnRnrwezrZSrApfX5S0nIag= sigs.k8s.io/release-utils v0.7.4 h1:17LmJrydpUloTCtaoWj95uKlcrUp4h2A9Sa+ZL+lV9w= sigs.k8s.io/release-utils v0.7.4/go.mod h1:JEt2QPHItd5Pg2UKLAU8PEaSlF4bUjCZimpxFDgymVU= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= diff --git a/pkg/clients/aggregator/discovery/resource.generated.go b/pkg/clients/aggregator/discovery/resource.generated.go index fa3e8de23e..3bb3adc2d8 100644 --- a/pkg/clients/aggregator/discovery/resource.generated.go +++ b/pkg/clients/aggregator/discovery/resource.generated.go @@ -4,7 +4,7 @@ import ( "time" "github.com/go-logr/logr" - github_com_google_gnostic_openapiv2 "github.com/google/gnostic/openapiv2" + github_com_google_gnostic_models_openapiv2 "github.com/google/gnostic-models/openapiv2" "github.com/kyverno/kyverno/pkg/metrics" "go.uber.org/multierr" k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -31,7 +31,7 @@ type withLogging struct { logger logr.Logger } -func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) { +func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) { start := time.Now() logger := c.logger.WithValues("operation", "OpenAPISchema") ret0, ret1 := c.inner.OpenAPISchema() @@ -135,7 +135,7 @@ type withMetrics struct { recorder metrics.Recorder } -func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) { +func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) { defer c.recorder.Record("open_api_schema") return c.inner.OpenAPISchema() } @@ -182,7 +182,7 @@ type withTracing struct { kind string } -func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) { +func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) { return c.inner.OpenAPISchema() } func (c *withTracing) OpenAPIV3() k8s_io_client_go_openapi.Client { diff --git a/pkg/clients/apiserver/discovery/resource.generated.go b/pkg/clients/apiserver/discovery/resource.generated.go index fa3e8de23e..3bb3adc2d8 100644 --- a/pkg/clients/apiserver/discovery/resource.generated.go +++ b/pkg/clients/apiserver/discovery/resource.generated.go @@ -4,7 +4,7 @@ import ( "time" "github.com/go-logr/logr" - github_com_google_gnostic_openapiv2 "github.com/google/gnostic/openapiv2" + github_com_google_gnostic_models_openapiv2 "github.com/google/gnostic-models/openapiv2" "github.com/kyverno/kyverno/pkg/metrics" "go.uber.org/multierr" k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -31,7 +31,7 @@ type withLogging struct { logger logr.Logger } -func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) { +func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) { start := time.Now() logger := c.logger.WithValues("operation", "OpenAPISchema") ret0, ret1 := c.inner.OpenAPISchema() @@ -135,7 +135,7 @@ type withMetrics struct { recorder metrics.Recorder } -func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) { +func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) { defer c.recorder.Record("open_api_schema") return c.inner.OpenAPISchema() } @@ -182,7 +182,7 @@ type withTracing struct { kind string } -func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) { +func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) { return c.inner.OpenAPISchema() } func (c *withTracing) OpenAPIV3() k8s_io_client_go_openapi.Client { diff --git a/pkg/clients/dclient/discovery.go b/pkg/clients/dclient/discovery.go index 8b19405618..fb1a0a1633 100644 --- a/pkg/clients/dclient/discovery.go +++ b/pkg/clients/dclient/discovery.go @@ -6,7 +6,7 @@ import ( "strings" "time" - openapiv2 "github.com/google/gnostic/openapiv2" + openapiv2 "github.com/google/gnostic-models/openapiv2" kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" "github.com/kyverno/kyverno/pkg/utils/wildcard" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/pkg/clients/dclient/fake.go b/pkg/clients/dclient/fake.go index 43528aefd9..0c0b8180e7 100644 --- a/pkg/clients/dclient/fake.go +++ b/pkg/clients/dclient/fake.go @@ -5,7 +5,7 @@ import ( "fmt" "strings" - openapiv2 "github.com/google/gnostic/openapiv2" + openapiv2 "github.com/google/gnostic-models/openapiv2" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" diff --git a/pkg/clients/kube/admissionregistrationv1beta1/client.generated.go b/pkg/clients/kube/admissionregistrationv1beta1/client.generated.go index bb4344b641..6274c224b6 100644 --- a/pkg/clients/kube/admissionregistrationv1beta1/client.generated.go +++ b/pkg/clients/kube/admissionregistrationv1beta1/client.generated.go @@ -3,6 +3,8 @@ package client import ( "github.com/go-logr/logr" mutatingwebhookconfigurations "github.com/kyverno/kyverno/pkg/clients/kube/admissionregistrationv1beta1/mutatingwebhookconfigurations" + validatingadmissionpolicies "github.com/kyverno/kyverno/pkg/clients/kube/admissionregistrationv1beta1/validatingadmissionpolicies" + validatingadmissionpolicybindings "github.com/kyverno/kyverno/pkg/clients/kube/admissionregistrationv1beta1/validatingadmissionpolicybindings" validatingwebhookconfigurations "github.com/kyverno/kyverno/pkg/clients/kube/admissionregistrationv1beta1/validatingwebhookconfigurations" "github.com/kyverno/kyverno/pkg/metrics" k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1" @@ -34,6 +36,14 @@ func (c *withMetrics) MutatingWebhookConfigurations() k8s_io_client_go_kubernete recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "MutatingWebhookConfiguration", c.clientType) return mutatingwebhookconfigurations.WithMetrics(c.inner.MutatingWebhookConfigurations(), recorder) } +func (c *withMetrics) ValidatingAdmissionPolicies() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface { + recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ValidatingAdmissionPolicy", c.clientType) + return validatingadmissionpolicies.WithMetrics(c.inner.ValidatingAdmissionPolicies(), recorder) +} +func (c *withMetrics) ValidatingAdmissionPolicyBindings() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface { + recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ValidatingAdmissionPolicyBinding", c.clientType) + return validatingadmissionpolicybindings.WithMetrics(c.inner.ValidatingAdmissionPolicyBindings(), recorder) +} func (c *withMetrics) ValidatingWebhookConfigurations() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingWebhookConfigurationInterface { recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ValidatingWebhookConfiguration", c.clientType) return validatingwebhookconfigurations.WithMetrics(c.inner.ValidatingWebhookConfigurations(), recorder) @@ -50,6 +60,12 @@ func (c *withTracing) RESTClient() rest.Interface { func (c *withTracing) MutatingWebhookConfigurations() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.MutatingWebhookConfigurationInterface { return mutatingwebhookconfigurations.WithTracing(c.inner.MutatingWebhookConfigurations(), c.client, "MutatingWebhookConfiguration") } +func (c *withTracing) ValidatingAdmissionPolicies() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface { + return validatingadmissionpolicies.WithTracing(c.inner.ValidatingAdmissionPolicies(), c.client, "ValidatingAdmissionPolicy") +} +func (c *withTracing) ValidatingAdmissionPolicyBindings() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface { + return validatingadmissionpolicybindings.WithTracing(c.inner.ValidatingAdmissionPolicyBindings(), c.client, "ValidatingAdmissionPolicyBinding") +} func (c *withTracing) ValidatingWebhookConfigurations() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingWebhookConfigurationInterface { return validatingwebhookconfigurations.WithTracing(c.inner.ValidatingWebhookConfigurations(), c.client, "ValidatingWebhookConfiguration") } @@ -65,6 +81,12 @@ func (c *withLogging) RESTClient() rest.Interface { func (c *withLogging) MutatingWebhookConfigurations() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.MutatingWebhookConfigurationInterface { return mutatingwebhookconfigurations.WithLogging(c.inner.MutatingWebhookConfigurations(), c.logger.WithValues("resource", "MutatingWebhookConfigurations")) } +func (c *withLogging) ValidatingAdmissionPolicies() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface { + return validatingadmissionpolicies.WithLogging(c.inner.ValidatingAdmissionPolicies(), c.logger.WithValues("resource", "ValidatingAdmissionPolicies")) +} +func (c *withLogging) ValidatingAdmissionPolicyBindings() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface { + return validatingadmissionpolicybindings.WithLogging(c.inner.ValidatingAdmissionPolicyBindings(), c.logger.WithValues("resource", "ValidatingAdmissionPolicyBindings")) +} func (c *withLogging) ValidatingWebhookConfigurations() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingWebhookConfigurationInterface { return validatingwebhookconfigurations.WithLogging(c.inner.ValidatingWebhookConfigurations(), c.logger.WithValues("resource", "ValidatingWebhookConfigurations")) } diff --git a/pkg/clients/kube/admissionregistrationv1beta1/validatingadmissionpolicies/resource.generated.go b/pkg/clients/kube/admissionregistrationv1beta1/validatingadmissionpolicies/resource.generated.go new file mode 100644 index 0000000000..4de5a292a0 --- /dev/null +++ b/pkg/clients/kube/admissionregistrationv1beta1/validatingadmissionpolicies/resource.generated.go @@ -0,0 +1,446 @@ +package resource + +import ( + context "context" + "fmt" + "time" + + "github.com/go-logr/logr" + "github.com/kyverno/kyverno/pkg/metrics" + "github.com/kyverno/kyverno/pkg/tracing" + "go.opentelemetry.io/otel/trace" + "go.uber.org/multierr" + k8s_io_api_admissionregistration_v1beta1 "k8s.io/api/admissionregistration/v1beta1" + k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types" + k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch" + k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1 "k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1" + k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1" +) + +func WithLogging(inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface, logger logr.Logger) k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface { + return &withLogging{inner, logger} +} + +func WithMetrics(inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface, recorder metrics.Recorder) k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface { + return &withMetrics{inner, recorder} +} + +func WithTracing(inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface, client, kind string) k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface { + return &withTracing{inner, client, kind} +} + +type withLogging struct { + inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface + logger logr.Logger +} + +func (c *withLogging) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Apply") + ret0, ret1 := c.inner.Apply(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Apply failed", "duration", time.Since(start)) + } else { + logger.Info("Apply done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "ApplyStatus") + ret0, ret1 := c.inner.ApplyStatus(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "ApplyStatus failed", "duration", time.Since(start)) + } else { + logger.Info("ApplyStatus done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Create(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Create") + ret0, ret1 := c.inner.Create(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Create failed", "duration", time.Since(start)) + } else { + logger.Info("Create done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error { + start := time.Now() + logger := c.logger.WithValues("operation", "Delete") + ret0 := c.inner.Delete(arg0, arg1, arg2) + if err := multierr.Combine(ret0); err != nil { + logger.Error(err, "Delete failed", "duration", time.Since(start)) + } else { + logger.Info("Delete done", "duration", time.Since(start)) + } + return ret0 +} +func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error { + start := time.Now() + logger := c.logger.WithValues("operation", "DeleteCollection") + ret0 := c.inner.DeleteCollection(arg0, arg1, arg2) + if err := multierr.Combine(ret0); err != nil { + logger.Error(err, "DeleteCollection failed", "duration", time.Since(start)) + } else { + logger.Info("DeleteCollection done", "duration", time.Since(start)) + } + return ret0 +} +func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Get") + ret0, ret1 := c.inner.Get(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Get failed", "duration", time.Since(start)) + } else { + logger.Info("Get done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyList, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "List") + ret0, ret1 := c.inner.List(arg0, arg1) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "List failed", "duration", time.Since(start)) + } else { + logger.Info("List done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Patch") + ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Patch failed", "duration", time.Since(start)) + } else { + logger.Info("Patch done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Update(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Update") + ret0, ret1 := c.inner.Update(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Update failed", "duration", time.Since(start)) + } else { + logger.Info("Update done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "UpdateStatus") + ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "UpdateStatus failed", "duration", time.Since(start)) + } else { + logger.Info("UpdateStatus done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Watch") + ret0, ret1 := c.inner.Watch(arg0, arg1) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Watch failed", "duration", time.Since(start)) + } else { + logger.Info("Watch done", "duration", time.Since(start)) + } + return ret0, ret1 +} + +type withMetrics struct { + inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface + recorder metrics.Recorder +} + +func (c *withMetrics) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "apply") + return c.inner.Apply(arg0, arg1, arg2) +} +func (c *withMetrics) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "apply_status") + return c.inner.ApplyStatus(arg0, arg1, arg2) +} +func (c *withMetrics) Create(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "create") + return c.inner.Create(arg0, arg1, arg2) +} +func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error { + defer c.recorder.RecordWithContext(arg0, "delete") + return c.inner.Delete(arg0, arg1, arg2) +} +func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error { + defer c.recorder.RecordWithContext(arg0, "delete_collection") + return c.inner.DeleteCollection(arg0, arg1, arg2) +} +func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "get") + return c.inner.Get(arg0, arg1, arg2) +} +func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyList, error) { + defer c.recorder.RecordWithContext(arg0, "list") + return c.inner.List(arg0, arg1) +} +func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "patch") + return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...) +} +func (c *withMetrics) Update(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "update") + return c.inner.Update(arg0, arg1, arg2) +} +func (c *withMetrics) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + defer c.recorder.RecordWithContext(arg0, "update_status") + return c.inner.UpdateStatus(arg0, arg1, arg2) +} +func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { + defer c.recorder.RecordWithContext(arg0, "watch") + return c.inner.Watch(arg0, arg1) +} + +type withTracing struct { + inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface + client string + kind string +} + +func (c *withTracing) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Apply"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Apply"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Apply(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "ApplyStatus"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("ApplyStatus"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.ApplyStatus(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Create(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Create"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Create(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Delete"), + ), + ) + defer span.End() + } + ret0 := c.inner.Delete(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret0) + } + return ret0 +} +func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("DeleteCollection"), + ), + ) + defer span.End() + } + ret0 := c.inner.DeleteCollection(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret0) + } + return ret0 +} +func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Get"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Get(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyList, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("List"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.List(arg0, arg1) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Patch"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Update(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Update"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Update(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "UpdateStatus"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("UpdateStatus"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Watch"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Watch(arg0, arg1) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} diff --git a/pkg/clients/kube/admissionregistrationv1beta1/validatingadmissionpolicybindings/resource.generated.go b/pkg/clients/kube/admissionregistrationv1beta1/validatingadmissionpolicybindings/resource.generated.go new file mode 100644 index 0000000000..5ae62b0c07 --- /dev/null +++ b/pkg/clients/kube/admissionregistrationv1beta1/validatingadmissionpolicybindings/resource.generated.go @@ -0,0 +1,374 @@ +package resource + +import ( + context "context" + "fmt" + "time" + + "github.com/go-logr/logr" + "github.com/kyverno/kyverno/pkg/metrics" + "github.com/kyverno/kyverno/pkg/tracing" + "go.opentelemetry.io/otel/trace" + "go.uber.org/multierr" + k8s_io_api_admissionregistration_v1beta1 "k8s.io/api/admissionregistration/v1beta1" + k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types" + k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch" + k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1 "k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1" + k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1" +) + +func WithLogging(inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface, logger logr.Logger) k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface { + return &withLogging{inner, logger} +} + +func WithMetrics(inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface, recorder metrics.Recorder) k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface { + return &withMetrics{inner, recorder} +} + +func WithTracing(inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface, client, kind string) k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface { + return &withTracing{inner, client, kind} +} + +type withLogging struct { + inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface + logger logr.Logger +} + +func (c *withLogging) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Apply") + ret0, ret1 := c.inner.Apply(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Apply failed", "duration", time.Since(start)) + } else { + logger.Info("Apply done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Create(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Create") + ret0, ret1 := c.inner.Create(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Create failed", "duration", time.Since(start)) + } else { + logger.Info("Create done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error { + start := time.Now() + logger := c.logger.WithValues("operation", "Delete") + ret0 := c.inner.Delete(arg0, arg1, arg2) + if err := multierr.Combine(ret0); err != nil { + logger.Error(err, "Delete failed", "duration", time.Since(start)) + } else { + logger.Info("Delete done", "duration", time.Since(start)) + } + return ret0 +} +func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error { + start := time.Now() + logger := c.logger.WithValues("operation", "DeleteCollection") + ret0 := c.inner.DeleteCollection(arg0, arg1, arg2) + if err := multierr.Combine(ret0); err != nil { + logger.Error(err, "DeleteCollection failed", "duration", time.Since(start)) + } else { + logger.Info("DeleteCollection done", "duration", time.Since(start)) + } + return ret0 +} +func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Get") + ret0, ret1 := c.inner.Get(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Get failed", "duration", time.Since(start)) + } else { + logger.Info("Get done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingList, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "List") + ret0, ret1 := c.inner.List(arg0, arg1) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "List failed", "duration", time.Since(start)) + } else { + logger.Info("List done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Patch") + ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Patch failed", "duration", time.Since(start)) + } else { + logger.Info("Patch done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Update(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Update") + ret0, ret1 := c.inner.Update(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Update failed", "duration", time.Since(start)) + } else { + logger.Info("Update done", "duration", time.Since(start)) + } + return ret0, ret1 +} +func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Watch") + ret0, ret1 := c.inner.Watch(arg0, arg1) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Watch failed", "duration", time.Since(start)) + } else { + logger.Info("Watch done", "duration", time.Since(start)) + } + return ret0, ret1 +} + +type withMetrics struct { + inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface + recorder metrics.Recorder +} + +func (c *withMetrics) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + defer c.recorder.RecordWithContext(arg0, "apply") + return c.inner.Apply(arg0, arg1, arg2) +} +func (c *withMetrics) Create(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + defer c.recorder.RecordWithContext(arg0, "create") + return c.inner.Create(arg0, arg1, arg2) +} +func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error { + defer c.recorder.RecordWithContext(arg0, "delete") + return c.inner.Delete(arg0, arg1, arg2) +} +func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error { + defer c.recorder.RecordWithContext(arg0, "delete_collection") + return c.inner.DeleteCollection(arg0, arg1, arg2) +} +func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + defer c.recorder.RecordWithContext(arg0, "get") + return c.inner.Get(arg0, arg1, arg2) +} +func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingList, error) { + defer c.recorder.RecordWithContext(arg0, "list") + return c.inner.List(arg0, arg1) +} +func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + defer c.recorder.RecordWithContext(arg0, "patch") + return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...) +} +func (c *withMetrics) Update(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + defer c.recorder.RecordWithContext(arg0, "update") + return c.inner.Update(arg0, arg1, arg2) +} +func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { + defer c.recorder.RecordWithContext(arg0, "watch") + return c.inner.Watch(arg0, arg1) +} + +type withTracing struct { + inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface + client string + kind string +} + +func (c *withTracing) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Apply"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Apply"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Apply(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Create(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Create"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Create(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Delete"), + ), + ) + defer span.End() + } + ret0 := c.inner.Delete(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret0) + } + return ret0 +} +func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("DeleteCollection"), + ), + ) + defer span.End() + } + ret0 := c.inner.DeleteCollection(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret0) + } + return ret0 +} +func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Get"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Get(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingList, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("List"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.List(arg0, arg1) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Patch"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Update(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Update"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Update(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} +func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Watch"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Watch(arg0, arg1) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} diff --git a/pkg/clients/kube/authenticationv1/client.generated.go b/pkg/clients/kube/authenticationv1/client.generated.go index 66c901d043..3be00b7ecf 100644 --- a/pkg/clients/kube/authenticationv1/client.generated.go +++ b/pkg/clients/kube/authenticationv1/client.generated.go @@ -2,6 +2,7 @@ package client import ( "github.com/go-logr/logr" + selfsubjectreviews "github.com/kyverno/kyverno/pkg/clients/kube/authenticationv1/selfsubjectreviews" tokenreviews "github.com/kyverno/kyverno/pkg/clients/kube/authenticationv1/tokenreviews" "github.com/kyverno/kyverno/pkg/metrics" k8s_io_client_go_kubernetes_typed_authentication_v1 "k8s.io/client-go/kubernetes/typed/authentication/v1" @@ -29,6 +30,10 @@ type withMetrics struct { func (c *withMetrics) RESTClient() rest.Interface { return c.inner.RESTClient() } +func (c *withMetrics) SelfSubjectReviews() k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface { + recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "SelfSubjectReview", c.clientType) + return selfsubjectreviews.WithMetrics(c.inner.SelfSubjectReviews(), recorder) +} func (c *withMetrics) TokenReviews() k8s_io_client_go_kubernetes_typed_authentication_v1.TokenReviewInterface { recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "TokenReview", c.clientType) return tokenreviews.WithMetrics(c.inner.TokenReviews(), recorder) @@ -42,6 +47,9 @@ type withTracing struct { func (c *withTracing) RESTClient() rest.Interface { return c.inner.RESTClient() } +func (c *withTracing) SelfSubjectReviews() k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface { + return selfsubjectreviews.WithTracing(c.inner.SelfSubjectReviews(), c.client, "SelfSubjectReview") +} func (c *withTracing) TokenReviews() k8s_io_client_go_kubernetes_typed_authentication_v1.TokenReviewInterface { return tokenreviews.WithTracing(c.inner.TokenReviews(), c.client, "TokenReview") } @@ -54,6 +62,9 @@ type withLogging struct { func (c *withLogging) RESTClient() rest.Interface { return c.inner.RESTClient() } +func (c *withLogging) SelfSubjectReviews() k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface { + return selfsubjectreviews.WithLogging(c.inner.SelfSubjectReviews(), c.logger.WithValues("resource", "SelfSubjectReviews")) +} func (c *withLogging) TokenReviews() k8s_io_client_go_kubernetes_typed_authentication_v1.TokenReviewInterface { return tokenreviews.WithLogging(c.inner.TokenReviews(), c.logger.WithValues("resource", "TokenReviews")) } diff --git a/pkg/clients/kube/authenticationv1/selfsubjectreviews/resource.generated.go b/pkg/clients/kube/authenticationv1/selfsubjectreviews/resource.generated.go new file mode 100644 index 0000000000..d86aabbf4d --- /dev/null +++ b/pkg/clients/kube/authenticationv1/selfsubjectreviews/resource.generated.go @@ -0,0 +1,83 @@ +package resource + +import ( + context "context" + "fmt" + "time" + + "github.com/go-logr/logr" + "github.com/kyverno/kyverno/pkg/metrics" + "github.com/kyverno/kyverno/pkg/tracing" + "go.opentelemetry.io/otel/trace" + "go.uber.org/multierr" + k8s_io_api_authentication_v1 "k8s.io/api/authentication/v1" + k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + k8s_io_client_go_kubernetes_typed_authentication_v1 "k8s.io/client-go/kubernetes/typed/authentication/v1" +) + +func WithLogging(inner k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface, logger logr.Logger) k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface { + return &withLogging{inner, logger} +} + +func WithMetrics(inner k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface, recorder metrics.Recorder) k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface { + return &withMetrics{inner, recorder} +} + +func WithTracing(inner k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface, client, kind string) k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface { + return &withTracing{inner, client, kind} +} + +type withLogging struct { + inner k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface + logger logr.Logger +} + +func (c *withLogging) Create(arg0 context.Context, arg1 *k8s_io_api_authentication_v1.SelfSubjectReview, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_authentication_v1.SelfSubjectReview, error) { + start := time.Now() + logger := c.logger.WithValues("operation", "Create") + ret0, ret1 := c.inner.Create(arg0, arg1, arg2) + if err := multierr.Combine(ret1); err != nil { + logger.Error(err, "Create failed", "duration", time.Since(start)) + } else { + logger.Info("Create done", "duration", time.Since(start)) + } + return ret0, ret1 +} + +type withMetrics struct { + inner k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface + recorder metrics.Recorder +} + +func (c *withMetrics) Create(arg0 context.Context, arg1 *k8s_io_api_authentication_v1.SelfSubjectReview, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_authentication_v1.SelfSubjectReview, error) { + defer c.recorder.RecordWithContext(arg0, "create") + return c.inner.Create(arg0, arg1, arg2) +} + +type withTracing struct { + inner k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface + client string + kind string +} + +func (c *withTracing) Create(arg0 context.Context, arg1 *k8s_io_api_authentication_v1.SelfSubjectReview, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_authentication_v1.SelfSubjectReview, error) { + var span trace.Span + if tracing.IsInSpan(arg0) { + arg0, span = tracing.StartChildSpan( + arg0, + "", + fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"), + trace.WithAttributes( + tracing.KubeClientGroupKey.String(c.client), + tracing.KubeClientKindKey.String(c.kind), + tracing.KubeClientOperationKey.String("Create"), + ), + ) + defer span.End() + } + ret0, ret1 := c.inner.Create(arg0, arg1, arg2) + if span != nil { + tracing.SetSpanStatus(span, ret1) + } + return ret0, ret1 +} diff --git a/pkg/clients/kube/discovery/resource.generated.go b/pkg/clients/kube/discovery/resource.generated.go index fa3e8de23e..3bb3adc2d8 100644 --- a/pkg/clients/kube/discovery/resource.generated.go +++ b/pkg/clients/kube/discovery/resource.generated.go @@ -4,7 +4,7 @@ import ( "time" "github.com/go-logr/logr" - github_com_google_gnostic_openapiv2 "github.com/google/gnostic/openapiv2" + github_com_google_gnostic_models_openapiv2 "github.com/google/gnostic-models/openapiv2" "github.com/kyverno/kyverno/pkg/metrics" "go.uber.org/multierr" k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -31,7 +31,7 @@ type withLogging struct { logger logr.Logger } -func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) { +func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) { start := time.Now() logger := c.logger.WithValues("operation", "OpenAPISchema") ret0, ret1 := c.inner.OpenAPISchema() @@ -135,7 +135,7 @@ type withMetrics struct { recorder metrics.Recorder } -func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) { +func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) { defer c.recorder.Record("open_api_schema") return c.inner.OpenAPISchema() } @@ -182,7 +182,7 @@ type withTracing struct { kind string } -func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) { +func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) { return c.inner.OpenAPISchema() } func (c *withTracing) OpenAPIV3() k8s_io_client_go_openapi.Client { diff --git a/pkg/clients/kube/extensionsv1beta1/networkpolicies/resource.generated.go b/pkg/clients/kube/extensionsv1beta1/networkpolicies/resource.generated.go index 9c6f3a6e4d..2381e32f87 100644 --- a/pkg/clients/kube/extensionsv1beta1/networkpolicies/resource.generated.go +++ b/pkg/clients/kube/extensionsv1beta1/networkpolicies/resource.generated.go @@ -46,17 +46,6 @@ func (c *withLogging) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyco } return ret0, ret1 } -func (c *withLogging) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_extensions_v1beta1.NetworkPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) { - start := time.Now() - logger := c.logger.WithValues("operation", "ApplyStatus") - ret0, ret1 := c.inner.ApplyStatus(arg0, arg1, arg2) - if err := multierr.Combine(ret1); err != nil { - logger.Error(err, "ApplyStatus failed", "duration", time.Since(start)) - } else { - logger.Info("ApplyStatus done", "duration", time.Since(start)) - } - return ret0, ret1 -} func (c *withLogging) Create(arg0 context.Context, arg1 *k8s_io_api_extensions_v1beta1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) { start := time.Now() logger := c.logger.WithValues("operation", "Create") @@ -134,17 +123,6 @@ func (c *withLogging) Update(arg0 context.Context, arg1 *k8s_io_api_extensions_v } return ret0, ret1 } -func (c *withLogging) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_extensions_v1beta1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) { - start := time.Now() - logger := c.logger.WithValues("operation", "UpdateStatus") - ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2) - if err := multierr.Combine(ret1); err != nil { - logger.Error(err, "UpdateStatus failed", "duration", time.Since(start)) - } else { - logger.Info("UpdateStatus done", "duration", time.Since(start)) - } - return ret0, ret1 -} func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { start := time.Now() logger := c.logger.WithValues("operation", "Watch") @@ -166,10 +144,6 @@ func (c *withMetrics) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyco defer c.recorder.RecordWithContext(arg0, "apply") return c.inner.Apply(arg0, arg1, arg2) } -func (c *withMetrics) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_extensions_v1beta1.NetworkPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) { - defer c.recorder.RecordWithContext(arg0, "apply_status") - return c.inner.ApplyStatus(arg0, arg1, arg2) -} func (c *withMetrics) Create(arg0 context.Context, arg1 *k8s_io_api_extensions_v1beta1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) { defer c.recorder.RecordWithContext(arg0, "create") return c.inner.Create(arg0, arg1, arg2) @@ -198,10 +172,6 @@ func (c *withMetrics) Update(arg0 context.Context, arg1 *k8s_io_api_extensions_v defer c.recorder.RecordWithContext(arg0, "update") return c.inner.Update(arg0, arg1, arg2) } -func (c *withMetrics) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_extensions_v1beta1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) { - defer c.recorder.RecordWithContext(arg0, "update_status") - return c.inner.UpdateStatus(arg0, arg1, arg2) -} func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { defer c.recorder.RecordWithContext(arg0, "watch") return c.inner.Watch(arg0, arg1) @@ -234,27 +204,6 @@ func (c *withTracing) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyco } return ret0, ret1 } -func (c *withTracing) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_extensions_v1beta1.NetworkPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) { - var span trace.Span - if tracing.IsInSpan(arg0) { - arg0, span = tracing.StartChildSpan( - arg0, - "", - fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "ApplyStatus"), - trace.WithAttributes( - tracing.KubeClientGroupKey.String(c.client), - tracing.KubeClientKindKey.String(c.kind), - tracing.KubeClientOperationKey.String("ApplyStatus"), - ), - ) - defer span.End() - } - ret0, ret1 := c.inner.ApplyStatus(arg0, arg1, arg2) - if span != nil { - tracing.SetSpanStatus(span, ret1) - } - return ret0, ret1 -} func (c *withTracing) Create(arg0 context.Context, arg1 *k8s_io_api_extensions_v1beta1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) { var span trace.Span if tracing.IsInSpan(arg0) { @@ -402,27 +351,6 @@ func (c *withTracing) Update(arg0 context.Context, arg1 *k8s_io_api_extensions_v } return ret0, ret1 } -func (c *withTracing) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_extensions_v1beta1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) { - var span trace.Span - if tracing.IsInSpan(arg0) { - arg0, span = tracing.StartChildSpan( - arg0, - "", - fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "UpdateStatus"), - trace.WithAttributes( - tracing.KubeClientGroupKey.String(c.client), - tracing.KubeClientKindKey.String(c.kind), - tracing.KubeClientOperationKey.String("UpdateStatus"), - ), - ) - defer span.End() - } - ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2) - if span != nil { - tracing.SetSpanStatus(span, ret1) - } - return ret0, ret1 -} func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { var span trace.Span if tracing.IsInSpan(arg0) { diff --git a/pkg/clients/kube/networkingv1/networkpolicies/resource.generated.go b/pkg/clients/kube/networkingv1/networkpolicies/resource.generated.go index 7612fb6552..0d160a0acc 100644 --- a/pkg/clients/kube/networkingv1/networkpolicies/resource.generated.go +++ b/pkg/clients/kube/networkingv1/networkpolicies/resource.generated.go @@ -46,17 +46,6 @@ func (c *withLogging) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyco } return ret0, ret1 } -func (c *withLogging) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_networking_v1.NetworkPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) { - start := time.Now() - logger := c.logger.WithValues("operation", "ApplyStatus") - ret0, ret1 := c.inner.ApplyStatus(arg0, arg1, arg2) - if err := multierr.Combine(ret1); err != nil { - logger.Error(err, "ApplyStatus failed", "duration", time.Since(start)) - } else { - logger.Info("ApplyStatus done", "duration", time.Since(start)) - } - return ret0, ret1 -} func (c *withLogging) Create(arg0 context.Context, arg1 *k8s_io_api_networking_v1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) { start := time.Now() logger := c.logger.WithValues("operation", "Create") @@ -134,17 +123,6 @@ func (c *withLogging) Update(arg0 context.Context, arg1 *k8s_io_api_networking_v } return ret0, ret1 } -func (c *withLogging) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_networking_v1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) { - start := time.Now() - logger := c.logger.WithValues("operation", "UpdateStatus") - ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2) - if err := multierr.Combine(ret1); err != nil { - logger.Error(err, "UpdateStatus failed", "duration", time.Since(start)) - } else { - logger.Info("UpdateStatus done", "duration", time.Since(start)) - } - return ret0, ret1 -} func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { start := time.Now() logger := c.logger.WithValues("operation", "Watch") @@ -166,10 +144,6 @@ func (c *withMetrics) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyco defer c.recorder.RecordWithContext(arg0, "apply") return c.inner.Apply(arg0, arg1, arg2) } -func (c *withMetrics) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_networking_v1.NetworkPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) { - defer c.recorder.RecordWithContext(arg0, "apply_status") - return c.inner.ApplyStatus(arg0, arg1, arg2) -} func (c *withMetrics) Create(arg0 context.Context, arg1 *k8s_io_api_networking_v1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) { defer c.recorder.RecordWithContext(arg0, "create") return c.inner.Create(arg0, arg1, arg2) @@ -198,10 +172,6 @@ func (c *withMetrics) Update(arg0 context.Context, arg1 *k8s_io_api_networking_v defer c.recorder.RecordWithContext(arg0, "update") return c.inner.Update(arg0, arg1, arg2) } -func (c *withMetrics) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_networking_v1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) { - defer c.recorder.RecordWithContext(arg0, "update_status") - return c.inner.UpdateStatus(arg0, arg1, arg2) -} func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { defer c.recorder.RecordWithContext(arg0, "watch") return c.inner.Watch(arg0, arg1) @@ -234,27 +204,6 @@ func (c *withTracing) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyco } return ret0, ret1 } -func (c *withTracing) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_networking_v1.NetworkPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) { - var span trace.Span - if tracing.IsInSpan(arg0) { - arg0, span = tracing.StartChildSpan( - arg0, - "", - fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "ApplyStatus"), - trace.WithAttributes( - tracing.KubeClientGroupKey.String(c.client), - tracing.KubeClientKindKey.String(c.kind), - tracing.KubeClientOperationKey.String("ApplyStatus"), - ), - ) - defer span.End() - } - ret0, ret1 := c.inner.ApplyStatus(arg0, arg1, arg2) - if span != nil { - tracing.SetSpanStatus(span, ret1) - } - return ret0, ret1 -} func (c *withTracing) Create(arg0 context.Context, arg1 *k8s_io_api_networking_v1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) { var span trace.Span if tracing.IsInSpan(arg0) { @@ -402,27 +351,6 @@ func (c *withTracing) Update(arg0 context.Context, arg1 *k8s_io_api_networking_v } return ret0, ret1 } -func (c *withTracing) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_networking_v1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) { - var span trace.Span - if tracing.IsInSpan(arg0) { - arg0, span = tracing.StartChildSpan( - arg0, - "", - fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "UpdateStatus"), - trace.WithAttributes( - tracing.KubeClientGroupKey.String(c.client), - tracing.KubeClientKindKey.String(c.kind), - tracing.KubeClientOperationKey.String("UpdateStatus"), - ), - ) - defer span.End() - } - ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2) - if span != nil { - tracing.SetSpanStatus(span, ret1) - } - return ret0, ret1 -} func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) { var span trace.Span if tracing.IsInSpan(arg0) { diff --git a/pkg/clients/kyverno/discovery/resource.generated.go b/pkg/clients/kyverno/discovery/resource.generated.go index fa3e8de23e..3bb3adc2d8 100644 --- a/pkg/clients/kyverno/discovery/resource.generated.go +++ b/pkg/clients/kyverno/discovery/resource.generated.go @@ -4,7 +4,7 @@ import ( "time" "github.com/go-logr/logr" - github_com_google_gnostic_openapiv2 "github.com/google/gnostic/openapiv2" + github_com_google_gnostic_models_openapiv2 "github.com/google/gnostic-models/openapiv2" "github.com/kyverno/kyverno/pkg/metrics" "go.uber.org/multierr" k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -31,7 +31,7 @@ type withLogging struct { logger logr.Logger } -func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) { +func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) { start := time.Now() logger := c.logger.WithValues("operation", "OpenAPISchema") ret0, ret1 := c.inner.OpenAPISchema() @@ -135,7 +135,7 @@ type withMetrics struct { recorder metrics.Recorder } -func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) { +func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) { defer c.recorder.Record("open_api_schema") return c.inner.OpenAPISchema() } @@ -182,7 +182,7 @@ type withTracing struct { kind string } -func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) { +func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) { return c.inner.OpenAPISchema() } func (c *withTracing) OpenAPIV3() k8s_io_client_go_openapi.Client { diff --git a/pkg/controllers/openapi/manager.go b/pkg/controllers/openapi/manager.go index f27de685b3..656e8144a0 100644 --- a/pkg/controllers/openapi/manager.go +++ b/pkg/controllers/openapi/manager.go @@ -1,7 +1,7 @@ package openapi import ( - openapiv2 "github.com/google/gnostic/openapiv2" + openapiv2 "github.com/google/gnostic-models/openapiv2" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) diff --git a/pkg/engine/handlers/validation/validate_cel.go b/pkg/engine/handlers/validation/validate_cel.go index f994be0a79..525b8958b0 100644 --- a/pkg/engine/handlers/validation/validate_cel.go +++ b/pkg/engine/handlers/validation/validate_cel.go @@ -17,6 +17,7 @@ import ( "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy" "k8s.io/apiserver/pkg/admission/plugin/webhook/matchconditions" celconfig "k8s.io/apiserver/pkg/apis/cel" + "k8s.io/apiserver/pkg/cel/environment" ) type validateCELHandler struct { @@ -43,6 +44,7 @@ func (h validateCELHandler) Process( } oldResource := policyContext.OldResource() + gvr := schema.GroupVersionResource(policyContext.RequestResource()) var object, oldObject, versionedParams runtime.Object object = resource.DeepCopyObject() @@ -114,15 +116,18 @@ func (h validateCELHandler) Process( auditExpressions = append(auditExpressions, auditCondition) } - filterCompiler := cel.NewFilterCompiler() - filter := filterCompiler.Compile(expressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, celconfig.PerCallLimit) - messageExpressionfilter := filterCompiler.Compile(messageExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, celconfig.PerCallLimit) - auditAnnotationFilter := filterCompiler.Compile(auditExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, celconfig.PerCallLimit) - matchConditionFilter := filterCompiler.Compile(matchExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, celconfig.PerCallLimit) + compositedCompiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())) + if err != nil { + return resource, handlers.WithError(rule, engineapi.Validation, "Error while creating composited compiler", err) + } + filter := compositedCompiler.Compile(expressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, environment.StoredExpressions) + messageExpressionfilter := compositedCompiler.Compile(messageExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, environment.StoredExpressions) + auditAnnotationFilter := compositedCompiler.Compile(auditExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, environment.StoredExpressions) + matchConditionFilter := compositedCompiler.Compile(matchExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, environment.StoredExpressions) - newMatcher := matchconditions.NewMatcher(matchConditionFilter, nil, nil, "", "") + newMatcher := matchconditions.NewMatcher(matchConditionFilter, nil, "", "", "") - validator := validatingadmissionpolicy.NewValidator(filter, newMatcher, auditAnnotationFilter, messageExpressionfilter, nil, nil) + validator := validatingadmissionpolicy.NewValidator(filter, newMatcher, auditAnnotationFilter, messageExpressionfilter, nil) admissionAttributes := admission.NewAttributesRecord( object, @@ -130,7 +135,7 @@ func (h validateCELHandler) Process( resource.GroupVersionKind(), resource.GetNamespace(), resource.GetName(), - schema.GroupVersionResource{}, + gvr, "", admission.Operation(policyContext.Operation()), nil, @@ -138,7 +143,7 @@ func (h validateCELHandler) Process( nil, ) versionedAttr, _ := admission.NewVersionedAttributes(admissionAttributes, admissionAttributes.GetKind(), nil) - validateResult := validator.Validate(ctx, versionedAttr, versionedParams, celconfig.RuntimeCELCostBudget) + validateResult := validator.Validate(ctx, gvr, versionedAttr, versionedParams, nil, celconfig.RuntimeCELCostBudget, nil) for _, decision := range validateResult.Decisions { switch decision.Action { diff --git a/pkg/openapi/manager.go b/pkg/openapi/manager.go index ffb22b3e0a..d2b01b043f 100644 --- a/pkg/openapi/manager.go +++ b/pkg/openapi/manager.go @@ -7,8 +7,8 @@ import ( "sync" "github.com/go-logr/logr" - "github.com/google/gnostic/compiler" - openapiv2 "github.com/google/gnostic/openapiv2" + "github.com/google/gnostic-models/compiler" + openapiv2 "github.com/google/gnostic-models/openapiv2" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/pkg/autogen" openapicontroller "github.com/kyverno/kyverno/pkg/controllers/openapi" diff --git a/pkg/openapi/utils.go b/pkg/openapi/utils.go index 489cec1183..ae3f61a554 100644 --- a/pkg/openapi/utils.go +++ b/pkg/openapi/utils.go @@ -7,8 +7,8 @@ import ( "strings" "sync" - "github.com/google/gnostic/compiler" - openapiv2 "github.com/google/gnostic/openapiv2" + "github.com/google/gnostic-models/compiler" + openapiv2 "github.com/google/gnostic-models/openapiv2" "github.com/kyverno/kyverno/data" "github.com/kyverno/kyverno/pkg/logging" "golang.org/x/exp/slices" diff --git a/pkg/validatingadmissionpolicy/validatingadmissionpolicy.go b/pkg/validatingadmissionpolicy/validatingadmissionpolicy.go index 7e679a34f4..2ba80faf10 100644 --- a/pkg/validatingadmissionpolicy/validatingadmissionpolicy.go +++ b/pkg/validatingadmissionpolicy/validatingadmissionpolicy.go @@ -19,6 +19,7 @@ import ( "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy" "k8s.io/apiserver/pkg/admission/plugin/webhook/matchconditions" celconfig "k8s.io/apiserver/pkg/apis/cel" + "k8s.io/apiserver/pkg/cel/environment" ) func GetKinds(policy v1alpha1.ValidatingAdmissionPolicy) []string { @@ -115,30 +116,41 @@ func Validate(policy v1alpha1.ValidatingAdmissionPolicy, resource unstructured.U auditExpressions = append(auditExpressions, auditCondition) } - filterCompiler := cel.NewFilterCompiler() - filter := filterCompiler.Compile( + engineResponse := engineapi.NewEngineResponse(resource, engineapi.NewValidatingAdmissionPolicy(policy), nil) + policyResp := engineapi.NewPolicyResponse() + var ruleResp *engineapi.RuleResponse + + compositedCompiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())) + if err != nil { + ruleResp = engineapi.RuleError(policy.GetName(), engineapi.Validation, "Error creating composited compiler", err) + policyResp.Add(engineapi.NewExecutionStats(startTime, time.Now()), *ruleResp) + engineResponse = engineResponse.WithPolicyResponse(policyResp) + return engineResponse + } + + filter := compositedCompiler.Compile( expressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, - celconfig.PerCallLimit, + environment.StoredExpressions, ) - messageExpressionfilter := filterCompiler.Compile( + messageExpressionfilter := compositedCompiler.Compile( messageExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, - celconfig.PerCallLimit, + environment.StoredExpressions, ) - auditAnnotationFilter := filterCompiler.Compile( + auditAnnotationFilter := compositedCompiler.Compile( auditExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, - celconfig.PerCallLimit, + environment.StoredExpressions, ) - matchConditionFilter := filterCompiler.Compile( + matchConditionFilter := compositedCompiler.Compile( matchExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, - celconfig.PerCallLimit, + environment.StoredExpressions, ) - newMatcher := matchconditions.NewMatcher(matchConditionFilter, nil, &failPolicy, string(matchPolicy), "") - validator := validatingadmissionpolicy.NewValidator(filter, newMatcher, auditAnnotationFilter, messageExpressionfilter, nil, nil) + newMatcher := matchconditions.NewMatcher(matchConditionFilter, &failPolicy, "", string(matchPolicy), "") + validator := validatingadmissionpolicy.NewValidator(filter, newMatcher, auditAnnotationFilter, messageExpressionfilter, nil) admissionAttributes := admission.NewAttributesRecord( resource.DeepCopyObject(), @@ -153,13 +165,9 @@ func Validate(policy v1alpha1.ValidatingAdmissionPolicy, resource unstructured.U nil, ) versionedAttr, _ := admission.NewVersionedAttributes(admissionAttributes, admissionAttributes.GetKind(), nil) - validateResult := validator.Validate(context.TODO(), versionedAttr, nil, celconfig.RuntimeCELCostBudget) + validateResult := validator.Validate(context.TODO(), schema.GroupVersionResource{}, versionedAttr, nil, nil, celconfig.RuntimeCELCostBudget, nil) - engineResponse := engineapi.NewEngineResponse(resource, engineapi.NewValidatingAdmissionPolicy(policy), nil) - policyResp := engineapi.NewPolicyResponse() - var ruleResp *engineapi.RuleResponse isPass := true - for _, policyDecision := range validateResult.Decisions { if policyDecision.Evaluation == validatingadmissionpolicy.EvalError { isPass = false